30 January 2009
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0101 -- [RedHat] Moderate: rhpki security and bug fix update 30 January 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rhpki Publisher: Red Hat Operating System: Red Hat Linux Impact: Access Confidential Data Access: Existing Account CVE Names: CVE-2008-5082 CVE-2008-2368 CVE-2008-2367 Ref: ESB-2009.0059 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2009-0007.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rhpki security and bug fix update Advisory ID: RHSA-2009:0007-01 Product: Red Hat Certificate System Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0007.html Issue date: 2009-01-29 CVE Names: CVE-2008-2367 CVE-2008-2368 CVE-2008-5082 ===================================================================== 1. Summary: Updated rhpki-common packages that fix security issues are now available for Red Hat Certificate System 7.3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Certificate System 7.3 for 4AS - i386, noarch, x86_64 Red Hat Certificate System 7.3 for 4ES - i386, noarch, x86_64 3. Description: Red Hat Certificate System (RHCS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. It was discovered that Red Hat Certificate System used insecure default file permissions on certain configuration files (for example, password.conf) that may contain authentication credentials. These credentials should only be accessible to administrative and service users. A local user could use this flaw to read Red Hat Certificate System configuration files containing sensitive information. (CVE-2008-2367) It was discovered that Red Hat Certificate System stored plain text passwords in multiple debug log files with insufficient access restrictions (for example, the UserDirEnrollment log and the RA wizard installer log). A local user could use this flaw to extract plain text passwords from the Red Hat Certificate System debug log files. (CVE-2008-2368) It was discovered that the Token Processing System (TPS) component of the Red Hat Certificate System did not properly verify the challenge response received during the enrollment of a new security token. An attacker with access to a blank token known to the TPS component and with privileges to perform new token enrollments could use this flaw to complete the enrollment procedure with a software-generated key instead of the key stored in the hardware token. (CVE-2008-5082) These updated packages fix the following bugs: * The end-entities enrollment pages have been updated to support the certenroll.dll library used on Microsoft Vista, so Internet Explorer can be used on to enroll certificates on Vista. * The password used by the LDAP publisher was improperly stored in the CA configuration. This essentially required that the LDAP publishing password had to be the same as the internal database (LDAP directory) password, or LDAP publishing would break. A new parameter was added to the CA CS.cfg file to define an LDAP publishing password parameter in the CA's password.conf file. * The secure ports used by subsystem interfaces â€” the administrative console, agent pages, and end-entities pages â€” are, by default, the same. It is possible with this errata to run those services on separate port, which provides additional protection by prohibiting agents and users from accessing the same TCP port and web services directory. * The certificate policies extension was not processed by CMSServlet. * Any IP Address defined in a certificate's SubjectAltName parameter was improperly coded as an 8-byte number, with the last 4 bytes trailing zeros (00 00 00 00). * The subject name uniqueness plug-in in the CA profiles, which enforces unique names for all active certificates, would reject a certificate request which reused a subject name even if the previous certificate had been revoked or expired. * The TPS dependences have been changed from MozLDAP5 to MozLDAP6. All users of Red Hat Certificate System 7.3 should upgrade to these updated packages, which resolves these issues. 4. Solution: Users running Red Hat Certificate System on Red Hat Enterprise Linux: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 Users running Red Hat Certificate System on Sun Solaris: Updated Solaris packages, in .pkg format, are available in the Red Hat Certificate System Solaris channels on the Red Hat Network. This packages should be installed or upgraded using Solaris-native package management tools. For detailed installation instructions, see Chapter 2, "Installation and Configuration", of the Red Hat Certificate System 7.3 Administration Guide: http://redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Installation_and_Configuration.html 5. Bugs fixed (http://bugzilla.redhat.com/): 451998 - CVE-2008-2367 Certificate System: insecure config file permissions 452000 - CVE-2008-2368 Certificate System: plain text passwords stored in debug log 459049 - rhcs71 - IP Address in Subject Alt Name is Incorrectly Coded with padding 475998 - CVE-2008-5082 Certificate System: missing public key challenge proof verification in the TPS component 6. Package List: Red Hat Certificate System 7.3 for 4AS: i386: rhpki-tps-7.3.0-23.el4.i386.rpm noarch: pkisetup-7.3.0-14.el4.noarch.rpm rhpki-ca-7.3.0-17.el4.noarch.rpm rhpki-common-7.3.0-40.el4.noarch.rpm rhpki-kra-7.3.0-13.el4.noarch.rpm rhpki-ocsp-7.3.0-11.el4.noarch.rpm rhpki-ra-7.3.0-67.el4.noarch.rpm rhpki-tks-7.3.0-12.el4.noarch.rpm rhpki-util-7.3.0-20.el4.noarch.rpm x86_64: rhpki-tps-7.3.0-23.el4.x86_64.rpm Red Hat Certificate System 7.3 for 4ES: i386: rhpki-tps-7.3.0-23.el4.i386.rpm noarch: pkisetup-7.3.0-14.el4.noarch.rpm rhpki-ca-7.3.0-17.el4.noarch.rpm rhpki-common-7.3.0-40.el4.noarch.rpm rhpki-kra-7.3.0-13.el4.noarch.rpm rhpki-ocsp-7.3.0-11.el4.noarch.rpm rhpki-ra-7.3.0-67.el4.noarch.rpm rhpki-tks-7.3.0-12.el4.noarch.rpm rhpki-util-7.3.0-20.el4.noarch.rpm x86_64: rhpki-tps-7.3.0-23.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2367 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5082 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <firstname.lastname@example.org>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJgXjrXlSAg2UNWIIRAhGuAJ0dEfUOTN/WO+vbFhZsYJKTevuc+QCguNMl T9bf6uLn6lZmgQ8eSElgub4= =TuBi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSYJBtCh9+71yA2DNAQILJwP+M5KOCH++nf9JtfVqfcNz5rn+kqTGMNvl fH/6nW/6qDw7JjMeNA+YnkgcbRhaozwWlKIU+KtznD+F/KTH4iwkGqaNZm/DIcnU GVb/apDPrBcMpJZNh/mH2VKhyrMSckRV38snIfCEryeG7g2XeohgIhFxDFDj9JhD hC/7ifp/SZQ= =huCT -----END PGP SIGNATURE-----